Kerberos
Kerberos is a network authentication protocol that uses tickets and symmetric cryptography to securely authenticate users and services.
What is Kerberos?
Kerberos is a strong authentication protocol designed to allow users and services to prove their identity over an untrusted network. It relies on tickets issued by a trusted authority to enable secure, password-less authentication during sessions.
Kerberos is the default authentication mechanism in many enterprise environments, especially those using directory services.
Why Kerberos matters
Kerberos is critical because it:
- Eliminates repeated password transmission over the network
- Enables secure Single Sign-On (SSO)
- Scales well in large enterprise environments
- Provides mutual authentication (client and server)
- Underpins many identity-based access controls
It is foundational to modern identity and access management.
How Kerberos works (simplified)
Kerberos authentication typically follows these steps:
- The user authenticates to the Authentication Server (AS)
- A Ticket Granting Ticket (TGT) is issued
- The user requests access to a service from the Ticket Granting Server (TGS)
- A service ticket is issued
- The user accesses the service using the ticket
Passwords are never sent to services directly.
Key Kerberos components
Core Kerberos elements include:
- KDC (Key Distribution Center) - trusted authority
- AS (Authentication Server) - verifies user identity
- TGS (Ticket Granting Server) - issues service tickets
- TGT (Ticket Granting Ticket) - enables SSO
- Service tickets - grant access to specific services
All components rely on synchronized time and shared secrets.
Kerberos and time synchronization
Kerberos is time-sensitive:
- Tickets have strict validity periods
- Clock skew beyond a small threshold causes failures
- NTP is required for reliable operation
Time drift is one of the most common causes of Kerberos errors.
Kerberos in enterprise environments
Kerberos is widely used for:
- User authentication in directory services
- Windows domain logons
- Secure access to file shares and applications
- Enterprise SSO implementations
- Authentication between services (service accounts)
It is deeply integrated into many enterprise platforms.
Kerberos vs NTLM
| Aspect | Kerberos | NTLM |
|---|---|---|
| Security | Strong | Weaker |
| SSO | Yes | Limited |
| Mutual authentication | Yes | No |
| Scalability | High | Lower |
| Modern usage | Preferred | Legacy |
Kerberos is the recommended protocol in modern environments.
Kerberos security considerations
While robust, Kerberos has risks if mismanaged:
- Stolen tickets can be reused (pass-the-ticket)
- Weak service account passwords increase risk
- Improper delegation settings can be abused
- Poor time synchronization breaks authentication
Proper configuration and monitoring are essential.
Common misconceptions
- "Kerberos uses public-key encryption everywhere"
- "Kerberos eliminates all credential theft"
- "Kerberos works without time synchronization"
- "Kerberos is only for Windows"